Client keytab ignored when CC has expired
Greg Hudson
ghudson at MIT.EDU
Thu Jul 31 11:52:51 EDT 2014
On 07/31/2014 03:24 AM, Michael Osipov wrote:
> That sounds reasonable and should solve the issue. Albeit, I do think that the detection
> algorithm could be better and pursue a best-effort/match/seldom-fail approach. It make the
> entire process idiot-proof.
I have opened a ticket for this:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7976
I'm not sure if the process can be made completely idiot-proof, but it
can certainly work better for the case where someone manually obtains
credentials for the same principal as the one in the client keytab. If
a person gets credentials for a different principal, it's harder to be
predictable.
More information about the Kerberos
mailing list